Fast Facts

• Sturnus is a new Android banking trojan targeting secure messaging apps.
• It can read decrypted messages from WhatsApp, Telegram, and Signal in real time.
• The malware seeks out banking credentials using fake login screens.
• It primarily targets users in Central and Southern Europe.
• Sturnus exploits Android’s Accessibility Service to bypass encryption.

The Trojan Horse in Your Pocket

Imagine a burglar who waits silently in your living room, watching every message you write - even those scribbled in invisible ink. That’s the chilling reality posed by Sturnus, a new Android banking trojan recently uncovered by security firm ThreatFabric. While still evolving, Sturnus is already capable of prying into the most private corners of supposedly secure messaging apps, turning encrypted conversations into open secrets.

Cracking the Code: How Sturnus Works

Unlike traditional malware that intercepts data as it travels over the internet, Sturnus takes a sneakier route. It abuses Android’s Accessibility Service - a feature meant to help users with disabilities - to monitor everything that appears on a phone’s screen. When a victim opens WhatsApp, Telegram, or Signal, Sturnus springs into action, logging keystrokes, reading contacts, and capturing entire message threads as they appear, all in real time. Since it accesses messages after they’re decrypted by the app, even the strongest end-to-end encryption provides no protection.

Beyond spying, Sturnus can display fake bank login screens, tricking users into handing over credentials. It can also grant crooks remote control over infected devices, making it a Swiss Army knife for cybercriminals. The malware is built to resist removal, monitoring attempts to uninstall it and fighting back for persistence.

Past Shadows and New Threats

Sturnus isn’t the first to target mobile banking. In recent years, families of Android malware like Anubis, Cerberus, and FluBot have used overlays and accessibility abuse to steal credentials. But Sturnus stands out for its focus on secure messaging - apps people trust for their privacy. This evolution reflects a growing trend: attackers shifting from intercepting network traffic to capturing information right on the device, where all safeguards vanish if the phone is compromised.

ThreatFabric’s report suggests Sturnus is currently focused on Central and Southern Europe, but these campaigns often spread quickly. As mobile banking and encrypted messaging become daily habits worldwide, the stakes have never been higher. For cybercriminals, the smartphone is both a wallet and a diary - ripe for the picking if defenses fall.

WIKICROOK

• Banking Trojan: A Banking Trojan is malware that targets financial data by stealing banking credentials and personal information, often by mimicking trusted apps.
• Accessibility Service: An Accessibility Service is an Android feature that assists users with disabilities, but can be misused by malware to control device functions.
• End: End-to-end encryption is a security method where only the sender and recipient can read messages, keeping data private from service providers and hackers.
• Overlay Attack: An overlay attack uses fake screens placed over real apps to trick users into entering sensitive data like passwords or PINs, enabling credential theft.
• Keylogging: Keylogging is a spying method where every keystroke you type is secretly recorded and sent to cybercriminals, risking your sensitive information.